Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45000

CVE-2026-45000: Openclaw SSRF Vulnerability in CDP Profile

CVE-2026-45000 is an SSRF flaw in Openclaw that bypasses security policies during browser CDP profile creation, enabling attacks on private networks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-45000 Overview

CVE-2026-45000 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in OpenClaw versions before 2026.4.20. The flaw resides in the browser Chrome DevTools Protocol (CDP) profile creation path, which skips strict-mode SSRF policy enforcement when profiles are created. Attackers with low-privileged access can persist profiles referencing private-network addresses or cloud metadata endpoints. Those stored targets are subsequently probed during normal profile status operations, producing unauthorized internal requests.

Critical Impact

Authenticated attackers can store browser CDP profiles that bypass SSRF policy checks and trigger internal network requests during routine profile operations.

Affected Products

  • OpenClaw (Node.js distribution) versions prior to 2026.4.20
  • Deployments using the extensions/browser CDP integration
  • Configurations relying on ssrfPolicy strict-mode enforcement

Discovery Timeline

  • 2026-05-11 - CVE-2026-45000 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-45000

Vulnerability Analysis

The vulnerability exists in OpenClaw's browser extension, which integrates with remote browsers via the Chrome DevTools Protocol. When a user creates a browser profile, the resolver path constructs a CDP reachability policy without applying the strict SSRF policy checks used elsewhere in the application. Stored profiles can therefore reference hostnames or IP addresses that the SSRF policy would normally reject, such as 127.0.0.1, RFC1918 ranges, or cloud metadata services like 169.254.169.254.

Later, when the application performs status or health probes against stored profiles, the resolved policy effectively allowlists the configured cdpHost, causing outbound requests to internal endpoints. The result is an SSRF primitive that operates indirectly, leveraging persisted profile data rather than direct request input.

Root Cause

The original resolveBrowserSsrFPolicy function merged caller-supplied extraAllowedHostnames into the policy unconditionally. The CDP host was added to the allowlist regardless of whether allowPrivateNetwork or dangerouslyAllowPrivateNetwork was enabled. This permitted private-network destinations to slip through strict mode by appearing in allowedHostnames.

Attack Vector

An attacker with permission to create or modify browser profiles supplies a cdpHost referencing an internal address. The profile is persisted. During normal profile status operations, OpenClaw issues HTTP requests to that host, bypassing the SSRF guardrails intended to block private-network access.

typescript
// Patch: scope CDP host allowlist to honor strict SSRF policy
-import type { SsrFPolicy } from "../infra/net/ssrf.js";
+import { isPrivateNetworkAllowedByPolicy, type SsrFPolicy } from "../infra/net/ssrf.js";
 import type { ResolvedBrowserProfile } from "./config.js";
 import { getBrowserProfileCapabilities } from "./profile-capabilities.js";
 
+function withCdpHostnameAllowed(
+  profile: ResolvedBrowserProfile,
+  ssrfPolicy?: SsrFPolicy,
+): SsrFPolicy | undefined {
+  if (!ssrfPolicy || !profile.cdpHost) {
+    return ssrfPolicy;
+  }
+  if (isPrivateNetworkAllowedByPolicy(ssrfPolicy)) {
+    return ssrfPolicy;
+  }
+  return {
+    ...ssrfPolicy,
+    allowedHostnames: Array.from(
+      new Set([...(ssrfPolicy.allowedHostnames ?? []), profile.cdpHost]),
+    ),
+  };
+}
+
 export function resolveCdpReachabilityPolicy(
   profile: ResolvedBrowserProfile,
   ssrfPolicy?: SsrFPolicy,

Source: GitHub commit 1fd049e

Detection Methods for CVE-2026-45000

Indicators of Compromise

  • Outbound HTTP requests from the OpenClaw process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or loopback addresses
  • Connections to cloud metadata endpoints such as 169.254.169.254 originating from OpenClaw workers
  • Stored browser profiles containing cdpHost values pointing to internal-only hostnames

Detection Strategies

  • Audit persisted browser profile records for cdpHost values that resolve to private or link-local IP space
  • Monitor process-level network telemetry for OpenClaw services contacting non-public destinations
  • Inspect application logs for repeated profile status probes targeting unusual hosts

Monitoring Recommendations

  • Forward OpenClaw process network events to a centralized analytics platform for correlation
  • Alert on creation events for profiles whose cdpHost fails SSRF policy validation
  • Track version inventory to confirm hosts run OpenClaw 2026.4.20 or later

How to Mitigate CVE-2026-45000

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.4.20 or later, which scopes the CDP host allowlist to strict SSRF policy
  • Review existing browser profile records and remove any with cdpHost values pointing to internal networks
  • Restrict who can create or modify browser profiles to trusted operators only

Patch Information

The fix is delivered through two upstream commits. Commit 1fd049e scopes the CDP host allowlist by introducing withCdpHostnameAllowed, which respects isPrivateNetworkAllowedByPolicy before allowlisting the configured host. Commit e90c89c refactors resolveBrowserSsrFPolicy to accept and merge extra allowed hostnames cleanly. See the GitHub Security Advisory GHSA-j4c5-89f5-f3pm and the VulnCheck Advisory on SSRF for additional detail.

Workarounds

  • Set ssrfPolicy.allowPrivateNetwork to false and avoid dangerouslyAllowPrivateNetwork until patched
  • Place OpenClaw workers behind an egress proxy that blocks RFC1918 and link-local destinations
  • Restrict outbound network ACLs on OpenClaw hosts so they cannot reach cloud metadata services
bash
# Example egress restriction using iptables to block metadata and private ranges
iptables -A OUTPUT -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.